From owner-freebsd-security@FreeBSD.ORG Thu Oct 9 13:38:35 2008 Return-Path: Delivered-To: freebsd-security@FreeBSD.ORG Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 394F21065686; Thu, 9 Oct 2008 13:38:35 +0000 (UTC) (envelope-from olli@lurza.secnetix.de) Received: from lurza.secnetix.de (unknown [IPv6:2a01:170:102f::2]) by mx1.freebsd.org (Postfix) with ESMTP id A7ECF8FC20; Thu, 9 Oct 2008 13:38:34 +0000 (UTC) (envelope-from olli@lurza.secnetix.de) Received: from lurza.secnetix.de (localhost [127.0.0.1]) by lurza.secnetix.de (8.14.3/8.14.3) with ESMTP id m99DcWMQ006321; Thu, 9 Oct 2008 15:38:32 +0200 (CEST) (envelope-from oliver.fromme@secnetix.de) Received: (from olli@localhost) by lurza.secnetix.de (8.14.3/8.14.3/Submit) id m99DcW3a006320; Thu, 9 Oct 2008 15:38:32 +0200 (CEST) (envelope-from olli) Date: Thu, 9 Oct 2008 15:38:32 +0200 (CEST) Message-Id: <200810091338.m99DcW3a006320@lurza.secnetix.de> From: Oliver Fromme To: freebsd-hackers@FreeBSD.ORG, freebsd-security@FreeBSD.ORG, sigtrm@gmail.com In-Reply-To: X-Newsgroups: list.freebsd-hackers User-Agent: tin/1.8.3-20070201 ("Scotasay") (UNIX) (FreeBSD/6.4-PRERELEASE-20080904 (i386)) MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-2.1.2 (lurza.secnetix.de [127.0.0.1]); Thu, 09 Oct 2008 15:38:33 +0200 (CEST) Cc: Subject: Re: Sockstress X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: freebsd-security@FreeBSD.ORG, sigtrm@gmail.com List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 09 Oct 2008 13:38:35 -0000 This is the wrong mailing list, you should send this to the -security list. By the way, this kind of attack isn't really new (as far as I can tell from the few information that have been made public so far). One way to mitigate it is to limit the number of open connections per remote IP address; you can easily do that with PF or IPFW ("limit" option). Best regards Oliver Lukasz Jaroszewski wrote: > Hi, > I am wondering about sockstres informations recently published. I cant > really figure what new they could found. Do we have anything to worry about? > ;-) > > http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1332898,00.html > > ``(...)Sockstress computes and stores so-called client-side SYN cookies and > enables Lee and Louis to specify a destination port and IP address. The > method allows them to complete the TCP handshake without having to store any > values, which takes time and resources. "We can then say that we want to > establish X number of TCP connections on that address and that we want to > use this attack type, and it does it," Lee said.(...)'' > > ``(...)Lee said that when and _if_ specific vendors develop workarounds for > the issues, they will release details of those issues.(...)'' > > Was FreeBSD team contacted? ;) > -- Oliver Fromme, secnetix GmbH & Co. KG, Marktplatz 29, 85567 Grafing b. M. Handelsregister: Registergericht Muenchen, HRA 74606, Geschäftsfuehrung: secnetix Verwaltungsgesellsch. mbH, Handelsregister: Registergericht Mün- chen, HRB 125758, Geschäftsführer: Maik Bachmann, Olaf Erb, Ralf Gebhart FreeBSD-Dienstleistungen, -Produkte und mehr: http://www.secnetix.de/bsd "Unix gives you just enough rope to hang yourself -- and then a couple of more feet, just to be sure." -- Eric Allman